this post was submitted on 12 Jul 2023
110 points (97.4% liked)

Selfhosted

40040 readers
717 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

So, I have some idea on what a reverse proxy does and will be using nginx (with the neat proxy manager UI) for my setup.

However, I'm not completely clear what exactly I want it to do and how I cn use it to run different services on one machine. I'm especially unclear on the ports configuration .... tutorials will say things like "change the listening port to xxx for that service and to port yyy for the other service"

How does this work, which ports can I use and how do I need to configure the respective services?

EDIT: thanks everybody, your replies did help me a lot! I have my basic setup now up and running using portainer + nginx + fail2ban.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 4 points 1 year ago (1 children)

One big thing they’re used for is sort of multiplexing port 80/443. You have one daemon listening on them, and you can have multiple domains pointing at the same IP. The reverse proxy will figure out which backend service to forward requests too.

Proxies like Caddy and I think Traefik also automatically manage SSL certificates. In many cases you could have your application server handle SSL, but usually it’s a good idea to have dedicated software for this.

[–] [email protected] 1 points 1 year ago (2 children)

Could you have a look at my answer to the poster above - would multiplexing mean, that I configure my internal IP 0.0.0.0:XXXA for one service and 0.0.0.0:XXXB for another?

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

Yeah that’s exactly right! You have the proxy listen on 80/443 and use the subdomains to proxy to the respective other services that you have listen to other ports. Make sure those other ports are not open to the outside, though, as that would allow someone to bypass the proxy. In you example, you would change away from 0.0.0.0 to 127.0.0.1, which means the port is only open to the loop back interface, not the other ones. This happens accidentally especially when using docker for the app service. Also you should probably run some firewall to block all ports that you don’t wish to expose.

I’d really suggest you take a look at Caddy for the reverse proxy. It completely handles SSL certificate creation and renewal so you don’t have to do anything.

[–] [email protected] 2 points 1 year ago (1 children)

thank you, that clears things up a bit. Now it's to play around with it, until I get it up and running :)

[–] [email protected] 1 points 1 year ago

For future reading this "multiplexing" is called SNI inspection/routing and it can only be used when TLS/SSL is in use.

[–] bdonvr 1 points 1 year ago

You can already do that without a reverse proxy.

A reverse proxy allows you to have multiple services running on 0.0.0.0:XXXA

For example you might have two websites at a server on 192.168.0.123

Your server will be setup to show those websites at two different ports, say "192.168.0.123:123" and "192.168.0.123:321" - with foo.com on 123 and example.net at 321

Your reverse proxy will listen to requests on port 80 (where websites are usually served) and look at each request. If it's a request for the website at foo.com, it'll send it to port 123. If it's a request for example.net it will send it to port 321

But the client who is requesting the sites will only see port 80, at the same IP address for both sites.